Safety and fundamental rights
AI systems should be safe for users and respect privacy, equality, non-discrimination, human dignity, and other fundamental rights.
Law · Governance · EU AI Act
AI & Data Protection
A practical reference for organizations operating in Germany and the EU. It brings together EU AI Act risk categories, GDPR principles, individual rights, compliance duties, enforcement exposure, and practical governance steps.
Goals of the EU AI Act
Trust · Innovation · HarmonizationThe EU AI Act aims to create a common legal environment for AI across EU Member States while supporting safe and trustworthy AI development.
Responsible adoption
The framework encourages responsible AI development across sectors while reducing legal fragmentation.
One EU framework
A unified regulatory environment helps organizations understand expectations across all EU Member States.
Safe
Systems should be assessed and managed so they do not create unacceptable risks for users.
Transparent
Users should understand when AI is being used and how it operates where transparency duties apply.
Traceable
Development and operation should be documented, logged, and auditable where required.
Non-discriminatory
AI systems should avoid biased or discriminatory outcomes and use appropriate data governance.
Environmentally responsible
Organizations should consider environmental impact in AI development and use.
EU AI Act risk hierarchy
Risk-based regulationThe higher the risk to people’s rights, safety, or livelihoods, the stronger the legal obligations.
Unacceptable
Examples: social scoring, manipulative uses, and certain biometric surveillance practices.
Requirement: banned.
High
Examples: hiring, education, critical infrastructure, law enforcement, migration, public benefits, and essential services.
Requirement: strict compliance, documentation, risk management, human oversight, and monitoring.
Limited
Examples: chatbots, deepfakes, and certain user-facing AI interactions.
Requirement: transparency obligations.
Minimal
Examples: spam filters, AI in games, and low-impact internal tools.
Requirement: no specific AI Act obligations, though other laws may still apply.
GDPR and AI
Personal data rules still applyThe AI Act does not replace GDPR. Whenever AI processes personal data, organizations generally need to comply with both frameworks.
Build protection in from day one
Data protection should be embedded into AI systems from the outset, not retrofitted later.
Collect only what is necessary
Use the minimum personal data needed and protect it with appropriate technical and organizational measures.
Document everything
Organizations must be able to demonstrate compliance through records, policies, assessments, and evidence of controls.
Lawful basis
AI systems need a valid legal basis before processing personal data, such as consent, contract, legal obligation, public task, vital interests, or legitimate interests.
Data minimization
Only data strictly necessary for the task should be collected, retained, or used for model inputs and outputs.
Human oversight
Humans should be able to review automated decisions that significantly affect individuals.
Key rights for individuals
Transparency and controlRight to explanation / information about automated decisions
People should receive meaningful information about significant automated decisions where applicable.
Right to be forgotten
Individuals can request deletion of personal data when legal conditions are met.
Data portability
Individuals may be able to move their data from one service provider to another in a structured, commonly used format.
Right to notification
People may need to be informed if a personal data breach creates relevant risks to their rights and freedoms.
Compliance terminology and responsibilities
Know the rolesAI governance requires clear ownership. Organizations should know whether they are developing, placing, importing, distributing, or deploying an AI system.
Provider
Entity that develops or places an AI system on the market under its own name or trademark.
Deployer
Person or organization using an AI system under its authority in business or public-sector operations.
GPAI
General-purpose AI models that can support a wide range of downstream tasks.
DPIA
Data Protection Impact Assessment, used to evaluate risks from personal data processing.
DPO
Data Protection Officer responsible for advising on and monitoring data protection compliance.
BDSG
Bundesdatenschutzgesetz, Germany’s Federal Data Protection Act.
Identify and classify AI systems
Inventory AI tools and map each one to the EU AI Act risk tier. Include internal, third-party, and embedded AI tools.
Conduct DPIAs where required
Run DPIAs when AI processing is likely to create high risks for individuals, especially with sensitive or large-scale data.
Implement TOMs
Establish technical and organizational measures such as access controls, encryption, logging, vulnerability management, and data leakage safeguards.
Mandate AI literacy
Train staff who use, procure, or manage AI tools so they understand risks, limitations, appropriate use, and escalation routes.
Assign governance owners
Define responsibilities across legal, privacy, security, procurement, HR, IT, business teams, and the DPO where applicable.
Violations, fines, and enforcement
Maximum exposureMaximum fines depend on the law, violation type, and organization size. Treat these as headline maximums and confirm with legal counsel.
Major infringements, such as serious violations of basic processing principles or data subject rights.
Certain governance, recordkeeping, and security-related obligations.
Prohibited AI practices under the EU AI Act.
Many other AI Act obligations depending on the infringement.
Important EU AI Act milestones
Phased applicationEntry into force
The EU AI Act entered into force, starting the phased implementation timeline.
Prohibited practices and AI literacy
Rules on banned practices and AI literacy obligations began applying.
GPAI obligations begin
Obligations for general-purpose AI models start applying, with transition rules for some existing models.
Broader obligations phase in
Many high-risk AI obligations begin applying later, with some product-safety-linked systems following a longer timeline.
AI training and copyright
TDM reservationsOrganizations should manage how their content may be used for text and data mining while recognizing that technical and legal reservations are not always universally respected by AI scrapers.
Crawler instructions
Can block specified crawlers from specified pages, but it is a technical instruction rather than a complete legal solution.
Machine-readable opt-out
A structured way to express reservations for text and data mining where supported.
Explicit rights reservation
Terms of use or legal notices can reserve rights against AI training, scraping, and unauthorized reuse.
Additional facts organizations should not miss
Practical governanceAI Act compliance is not only an IT issue
Legal, privacy, security, procurement, HR, operations, and business owners all need defined responsibilities.
Vendor AI tools still need review
Using a third-party AI system does not remove the need to assess contracts, data flows, risk tier, security, and user obligations.
Training data quality matters
Poor, biased, incomplete, or unrepresentative data can create discrimination, inaccuracy, and compliance problems.
Logs and documentation are evidence
Risk assessments, model cards, DPIAs, incident records, access logs, vendor due diligence, and monitoring reports help demonstrate accountability.
Human oversight must be meaningful
Reviewers need authority, training, time, and information to challenge AI outputs rather than rubber-stamp them.
Prompts and outputs can contain sensitive data
Prompts may contain personal data or confidential information. Outputs may become records that need retention, review, or deletion controls.